Social network Facebook has inadvertently shared phone numbers and email
addresses of 6million users, the site has admitted.

A bug, which has now been fixed, meant that the site collated information about users to create master records including phone numbers and email addresses that the owners had never intended to share.

Facebook said it was “upset and embarrassed” by the issue and had notified its regulators.

If Facebook users uploaded their address books to the site, email addresses and phone numbers were connected with profiles of their friends on Facebook’s servers. Other users who subsequently downloaded data about those friends, using Facebook’s Download Your Information tool, were then presented with the entire record.

Facebook claimed it connected the information so that it could make sure users were invited to connect to friends who were already on the site, rather than suggest to existing users that they invite people to join.

Although 6million users were affected around the world, it is thought that around 200,000 of those live in the UK. Facebook said its own ‘white hat’ security programme was responsible for the discovery of the bug and its fixing. It is emailing all those who have been affected, but is not breaking down numbers officially by country.

Writing on the Facebook blog, the site said “Even with a strong team, no company can ensure 100% prevention of bugs and in rare cases we don’t discover a problem until it has already affected a person’s account.” The company apologised that it “may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.”

A Facebook spokesman said “We appreciate the security researcher's effort to report this issue to our White Hat Programme. We worked with the researcher to evaluate the scope of the issue and fix this bug quickly and discussed the issue with our regulators. The bug occurred in limited situations, generally in which one user already had contact information for another, and we have no evidence that it was exploited maliciously. We have already notified affected users and have provided a bounty to the researcher to thank him for his contribution to Facebook security.”

The blog post added that “No other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool. We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again.”

The site told users “Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.” It added it had paid the researcher a "bug bounty".